servicetitan/arcade-eval
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cat1: FINALIZE scorecard (draft 4/5); STATUS + cat-5 NOTES ready for fresh-session handoff

Browse Source
This commit is contained in:
iztaylor
2026-06-22 09:55:01 -04:00
parent 8b48f5813e
commit 53f960409e
5 changed files with 95 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
STATUS.md
+10 -8
View File
@@ -1,18 +1,19 @@
# STATUS — "you are here" handoff
Each lane owns its own section. Update yours; don't touch others'. Keep it terse.
Last full-repo update: 2026-06-18 (scaffold).
Last full-repo update: 2026-06-22.
## Category 1 — Functional MCP Gateway Capability
- Owner: ztaylor
- Status: in progress (scaffold done; executing per `~/repos/docs/arcade-eval-plan.md`)
- Last live-state check:
- Notes: cat-1 lane = this session. Per-user tests via `user_id` headers (real Entra SSO → cat 2).
- Status: **SCORED (draft 4/5)**`categories/cat1-functional/criteria-section-1.md`, awaiting user paste into the Google Doc.
- Last live-state check: 2026-06-22
- Result: protocol/curation/mixed/dynamic-reg/zero-config-clients all PASS; per-user execution proven (`whoami` A→A/B→B); Claude Code connected via Arcade-Headers AND Entra OAuth. One finding: per-user tool-LIST scoping is gateway-wide, not native (→ cat-3/separate gateways).
- Fixtures (reusable): gateway `zeb-gateway-test`; ref server `arcade-eval-ref` (lib/mcp_server) registered via cloudflared quick tunnel (EPHEMERAL — re-establish for cat-9; see LIVE-POC).
## Category 2 — Delegated Authorization and Identity
- Owner: — (security cluster: Dane / Chandu)
- Status: not started (criteria stub seeded)
- Notes: holds the Entra/Okta SSO login → identity-mapping test (a teammate can be User B).
- Status: not started (criteria stub seeded)**but cat-1 work already generated strong evidence; see LIVE-POC "Known behaviors".**
- Notes: holds the Entra/Okta SSO login → identity-mapping test. Open finding: User Source keys user_id on opaque Entra `sub`, mismatching the dashboard email → blocks downstream OAuth consent bind (fix: map User Source to the email claim). Google provider redirect-uri/secret issue was resolved 2026-06-22.
## Category 3 — Tool-Level Access Control and Policy
- Owner: — (security cluster)
@@ -24,8 +25,9 @@ Last full-repo update: 2026-06-18 (scaffold).
## Category 5 — Auditability and Observability
- Owner: ztaylor
- Status: not started (criteria stub seeded)
- Notes: metrics → Grafana/Mimir (NOT ELK); engine OTLP currently dropped (no collector). See LIVE-POC.
- Status: **NEXT — start here in a fresh session** (invoke skill `arcade-gateway-eval`; read this + LIVE-POC; run live-state check). See `categories/cat5-auditability/NOTES.md` for the plan.
- Last live-state check: —
- Notes: metrics → **Grafana/Mimir** (NOT ELK); logs → ELK (Vector). Engine OTLP currently **dropped** — collector `arcade-otel-collector:4318` doesn't resolve. First task = OTEL collector → Prometheus/Mimir remediation (with the user; touches `k8s-backstage-v2/apps/arcade`). Full evidence + remediation shapes in LIVE-POC "Observability".
## Category 6 — Security and Compliance
- Owner: — (security cluster)